Paranoid Penguin - Customizing Linux Live CDs, Part II

Last month, I described a simple procedure for customizing the standard
Ubuntu Desktop 7.10 live CD. We got as far as uninstalling software packages
to make room for other things, installing some of those other things and
updating all packages on the live CD image.

This month, I go a step further by creating a TrueCrypt-encrypted
Documents directory that you can mount from a USB drive, in conjunction
with your live CD. Although that's handy in and of itself, you'll be able to
use the same method, with only minor modifications, to encrypt other
important directories as well.

As with last month's article, here I use Ubuntu both as the master system to
customize and repackage our live CD and for the source of the live CD ISO
image we'll customize. It's a popular and surprisingly compact
mainstream distribution. So, also like last month's column, much of what
follows will apply directly to other squashfs-based distributions, such as
Linux Mint, SLAX and BackTrack (not to mention Ubuntu variants, such as
Kubuntu and Edubuntu), and indirectly to most other live CD distributions.

I'm going to avoid the temptation to make this article a ground-up tutorial
on volume encryption in general or TrueCrypt specifically. Either topic
would make a substantial article all by itself. Maybe I'll tackle those at
a later date, unless I can persuade the Paranoid Penguin's Minister of
Cryptographic Outreach, Tony Stieber, to tackle them for me. (You may
remember Tony's articles “GnuPG Hacks” and “OpenSSL
Hacks” in the March 2006 and July 2006 issues of Linux
Journal, respectively). But, I will show you how to install
TrueCrypt on Ubuntu systems, and how to create and mount TrueCrypt volumes.

Ubuntu 7.10 vs. 8.4

I based the customized live CD in this article's examples on Ubuntu 7.10,
aka Gutsy Gibbon. When I wrote the article, 7.10 was current, but due to
Linux Journal's printing schedule, by the time you read this, Ubuntu 8.4
(Hardy Heron) should be available. However, most, if not all, of the example
commands herein should work fine with Ubuntu 8.4.

Note that Ubuntu 8.4 includes the packages easycrypt and gdecrypt, two
graphical front ends for TrueCrypt, but no packages for TrueCrypt itself,
on which both easycrypt and gdecrypt depend (though the latter, even
without TrueCrypt, can create non-TrueCrypt-compatible encrypted volumes).
So the instructions I give here on downloading and installing TrueCrypt
itself still are applicable to Ubuntu 8.4.

Installing TrueCrypt

Although I just disclaimed the intention of making this a TrueCrypt primer, a
little introduction is in order. TrueCrypt is a free, open-source,
cross-platform volume-encryption utility. It's also highly portable.
The
TrueCrypt binary itself is self-contained, and any TrueCrypt volume can be
mounted on any Windows or Linux system on which the TrueCrypt binary will
run or compile. TrueCrypt can be run either from a command line or in the X
Window System.

TrueCrypt is becoming quite popular and is held in high regard by
crypto experts I know (it appears to be a sound implementation of
known, good algorithms like AES and Twofish), but its license is a bit
complicated. For this reason, TrueCrypt hasn't yet been adopted
into Debian or Ubuntu officially, even though Ubuntu 8.10's universe packages
easycrypt and gdecrypt depend on it (see the Ubuntu 7.10 vs. 8.4 sidebar).

So, to install TrueCrypt on an Ubuntu system, you need to download it
directly from www.truecrypt.org/downloads.php. When I was writing
this article, TrueCrypt version 5.1 was current, and the Ubuntu deb file I
downloaded was called truecrypt-5.1-ubuntu-x86.tar.gz, though by the time
you read this, it may be something else. Besides an Ubuntu deb package,
TrueCrypt also is available as a SUSE RPM file (that also might work on
other RPM-based distros) and as source code.

Now, it's time to install TrueCrypt. You're going to need to install
TrueCrypt in at least two places: on the master system you're using to
create your custom live CD and either on the live CD image itself or on
whatever removable media (such as a USB drive) you're going to
keep your encrypted volume.

First, let's install TrueCrypt on the master system. Open a command shell,
unpack the TrueCrypt archive in your home directory, and change your
working directory to the directory that gets unpacked:

With TrueCrypt 5.1, only three files are installed on your system: its
license and user guide, both in /usr/share/truecrupt/doc/, and the binary
itself, /usr/bin/truecrypt. TrueCrypt doesn't require any special kernel
modules; it's a monolothic process. This means that if you copy
/usr/bin/truecrypt to the same Flash drive on which you keep your encrypted
volume, you won't need to install it on your Ubuntu live CD.

You may prefer doing so anyhow. Here's how:

Follow steps 00–12 in the procedure I described last month
for mounting your custom ISO and chrooting into it (see Appendix).

From a different, non-chrooted shell, copy the TrueCrypt
deb package truecrypt_5.1-0_i386.deb into the ISO root you just chrooted
into (isonew/custom/ in last month's examples).

Finally, follow steps 19–33 from last month's procedure to clean up,
unmount and repackage your custom live CD image. And, of course, use your
CD-burning application of choice to burn your image into a shiny new
live CD

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.